Skip to main content
UnderscoresAndDashes
UnderscoresAndDashes
Explorer
January 15, 2025
Question

IPSec IKE mode-cfg not handing out ip addresses to dialup fortigates. v7.2.10

  • January 15, 2025
  • 3 replies
  • 2736 views

I thought it was possible to have the Hub hand out an ip addresses via mode-cfg from the Dialup IPSec tunnel, doesn't seem to work. Is it supposed to work when a branch Fortigate dials into the Hub Fortigate. 

Here are my IPSec configurations for the Hub and a Spoke. 

(The tunnels are up, it's just that the spoke will not grab an IP Address or the Hub is not handing them out)

TunnelsNew.jpg

HUB:

config vpn ipsec phase1-interface
edit "advpn_1"
set type dynamic
set interface "port3"
set ike-version 2
set peertype one
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set auto-discovery-sender enable
set peerid "100"
set ipv4-start-ip 172.50.100.100
set ipv4-end-ip 172.50.103.200
set ipv4-netmask 255.255.252.0
set psksecret 
set dpd-retrycount 2
set dpd-retryinterval 10
next
end

-----------------------------------------------------------------

Spoke:

config vpn ipsec phase1-interface
edit "advpn_1"
set interface "wan2"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set localid "100"
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set remote-gw x.x.x.x
set psksecret 
set dpd-retrycount 2
set dpd-retryinterval 10
next
end

----------------------------------------------------------------

This is what I get when I run the below on the Spoke side:

diagnose ip router bgp level info

diag ip router bgp all enable

di de en

 

BGP: 172.50.100.1-Outgoing [FSM] State: Active Event: 9
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 9
BGP: 172.50.100.1-Outgoing [NETWORK] FD=26, Sock Status: 101-Network is unreachable
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 18
BGP: 172.50.100.1-Outgoing [FSM] State: Active Event: 9
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 9
BGP: 172.50.100.1-Outgoing [NETWORK] FD=26, Sock Status: 101-Network is unreachable
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 18
di deBGP: 172.50.100.1-Outgoing [FSM] State: Active Event: 9
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 9
BGP: 172.50.100.1-Outgoing [NETWORK] FD=26, Sock Status: 101-Network is unreachable
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 18

 

This leads me to the Spoke not getting an IP from the Hub via ike mode-cfg

3 replies

Dhruvin_patel
Staff
Dhruvin_patel
Staff
January 15, 2025

Greetings!

 

Could you provide the output of the command diagnose vpn ike gateway list from the spoke after the tunnel is up?

The output will help us identify the spoke receiving the IP address from the hub.

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

    UnderscoresAndDashes
    UnderscoresAndDashesAuthor
    Explorer
    January 16, 2025

    Why aren't my replies being saved in this post? 

    UnderscoresAndDashes
    UnderscoresAndDashesAuthor
    Explorer
    January 16, 2025

    My previous replies apparently didn't save. I am trying in multiple replies.

    Fith attempt:
    It does look like the Tunnels are getting IP addresses:

    vd: root/0
    name: advpn_1
    version: 2
    interface: wan2 6
    addr: x.x.x.x:4500 -> x.x.x.x:4500
    tun_id: x.x.x.x/::x.x.x.x
    remote_location: 0.0.0.0
    network-id: 0
    created: 81724s ago
    peer-id: x.x.x.x
    peer-id-auth: no
    assigned IPv4 address: 172.50.100.100/255.255.255.255
    nat: peer
    auto-discovery: 2 receiver
    PPK: no
    IKE SA: created 1/1 established 1/1 time 190/190/190 ms
    IPsec SA: created 1/2 established 1/2 time 90/140/190 ms

    id/spi: 406 fe1ba136cc42d3b1/f227432e431a463a
    direction: initiator
    status: established 81724-81724s ago = 190ms
    proposal: aes256-sha256
    child: no
    SK_ei: 3b24718f4a29ed9c-d8b0f92cc802bfaf-69001bab48378b48-05ded5b554fb118b
    SK_er: 37fbcc92dd9f518e-45866fb0fd003f72-e47d139b45f1ffb2-986578b7e0432d5b
    SK_ai: 62e8c173d8d71dde-40a4b1a65fd6b677-c3b2ffae2b31037e-20aa7d4ca49de932
    SK_ar: bcf7e7fd0b31edba-1240a680513ec3e4-f79b17e7a3913577-b662c8b626a8b6f3
    PPK: no
    message-id sent/recv: 3803/0
    lifetime/rekey: 86400/4375
    DPD sent/recv: 00000ede/00000ede
    peer-id: x.x.x.x

    UnderscoresAndDashes
    UnderscoresAndDashesAuthor
    Explorer
    January 16, 2025

    For some reason the route to the Neighbor is not being injected. In this lab I am using a SDWan zone, which both tunnels are a member of. I have added the Neighbor subnets to the Hub BGP prefixes, but that not going to help if the spoke can't pull routing from the Hub. I have tried adding a static route in the spoke for the neighbor subnets, but then I get a reverse path error on the Hub. When I had the tunnels statically IP'd, the only static route I needed was a 10DOT Blackhole route. So now I have added a static route to both the Hub and Spoke for the Neiborhood subnets and now it's working. I guess it makes sense, for whatever reason I was under the impression that the routes for the Neighborships would be auto-injected. 

    pminarik
    Staff
    pminarik
    Staff
    January 16, 2025

    Interface IPs can be exchanged between the two peers either via "set exchange-interface-ip enable" in phase1 configuration, or if using ADVPN this option is auto-enabled by force.

     

    Have a look at the ike debugs when the phase1 is being established. You're looking for lines like:

    "VID Fortinet Exchange Interface IP"
    "add INTERFACE-ADDR4 <other-side's-IP"

    "received p1 notify type INTERFACE-ADDR4"

    "add connected route <local-ip> -> <other-side's-IP>"

    Terms & ConditionsAccessibility statement